phpcs:ignore the verify token, which is a nonce

newfold-labs · Nov 18, 2024 · 0db7084 · 0db7084
1 parent 85c4630
commit 0db7084
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/includes/HiiveConnection.php b/includes/HiiveConnection.php
@@ -78,24 +78,32 @@ public function rest_api_init(): void {
 	 *
 	 * Hiive will first attempt to verify using the REST API, and fallback to this AJAX endpoint on error.
 	 *
+	 * Token is generated in {@see self::connect()} using {@see md5()}.
+	 *
 	 * @hooked wp_ajax_nopriv_nfd-hiive-verify
 	 *
 	 * @return never
 	 */
 	public function ajax_verify() {
-		$valid  = $this->verify_token( $_REQUEST['token'] );
-		$status = ( $valid ) ? 200 : 400;
+		// PHPCS: Ignore the nonce verification here – the token _is_ a nonce.
+		// @phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$token = $_REQUEST['token'];
+
+		$is_valid = $this->verify_token( $token );
+		$status   = ( $is_valid ) ? 200 : 400;
 
 		$data = array(
-			'token' => $_REQUEST['token'],
-			'valid' => $valid,
+			'token' => $token,
+			'valid' => $is_valid,
 		);
 		\wp_send_json( $data, $status );
 	}
 
 	/**
 	 * Confirm whether verification token is valid
 	 *
+	 * Token is generated in {@see self::connect()} using {@see md5()}.
+	 *
 	 * @param string $token Token to verify
 	 */
 	public function verify_token( string $token ): bool {